ConfigMgr : Query Machines with LocalGroupMembers where users are admins on machine


Enable the class LocalGroupMembers from here >


SQL Query to find domain users who are administrators on the workstations/servers

SELECT v_R_System.Netbios_Name0, v_R_System.User_Name0, v_R_System.AD_Site_Name0, LocalGroupMembers_DATA.Account00, LocalGroupMembers_DATA.Category00, LocalGroupMembers_DATA.Disabled00, LocalGroupMembers_DATA.Domain00, LocalGroupMembers_DATA.Name00,
v_R_System ON LocalGroupMembers_DATA.MachineID = v_R_System.ResourceID
where Name00 like ‘%Administrators%’ and Type00 like ‘%Domain%’ and Category00 like ‘%UserAccount%’

Output :



SCCM 2012: dynamic app install Policy download failed

When Rebooting Is Not The Answer

I had an issue the other day with an application not installing that I had been installing for a long time through the UDI wizard with the MDT Integration with SCCM 2012.  Suddenly it had stopped installing and I got the below error in the SMSTS.log.

Make sure the application is marked for dynamic app install Policy download failed, hr=0x80004005. The operating system reported error 2147500037: Unspecified error

While this error can be caused by symbols such as a comma or ampersand in the application name for me it was because I had changed the application name to a more user-friendly name which in turn broke the UDI as it doesn’t dynamically update application names.  I simply went into the UDI and removed and re-added the application and it started working again.

View original post

Filtered GPO’s are broken

When Rebooting Is Not The Answer

I was updating a logon script today and realized that for some reason it wasn’t applying to the machine.   I ran rsop and gpresult but neither one showed the policy or the logon script.  The gpo was filtered to a specific group of users and the user was clearly a member of the group so I was befuddled what was going on.  I finally found a Security update KB 3159398 for Group Policy that came out in June that while fixing a dangerous man-in-the-middle attack breaks filtering if Domain Computer group does not have read permissions to the OU.  Follow the below steps to fix and your gpo will be working like normal.

  1. Open up the gpo in group policy management and click the delegation tab.
  2. Click Add and type in domain computers.capture
  3. Set permissions to read as is the default.capture2
  4. Enjoy your fixed GPO’s!

Link to Microsoft Security update and known…

View original post 3 more words